---
apiVersion: batch/v1
kind: Job
metadata:
  name: cert-provisioner-job
spec:
  template:
    metadata:
      name: cert-provisioner-job
    spec:
      serviceAccountName: pl-cert-provisioner-service-account
      containers:
      - name: provisioner
        image: vizier-cert_provisioner_image:latest
        env:
        - name: PL_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        envFrom:
        - configMapRef:
            name: pl-cloud-config
        - configMapRef:
            name: pl-cluster-config
            optional: true
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          seccompProfile:
            type: RuntimeDefault
      securityContext:
        runAsUser: 10100
        runAsGroup: 10100
        fsGroup: 10100
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      restartPolicy: "Never"
  backoffLimit: 1
  parallelism: 1
  completions: 1
